things that catch my interest

Main menu

Post navigation

PS3 Exploit Tidbits

I haven’t gotten around to doing an update in a while due to work (and a little relaxation) taking all my time. Rather than wait till I have finished all of the stuff I wanted to before posting again I decided to post some tidbits to tide you over until the rest is ready. Before I do so I’d like to make the following clear as no matter how many times I say it, people believe what they want to believe instead:

THIS PS3 EXPLOIT WILL NOT ENABLE PLAYING OF COPIED OR BACKED UP GAMES. THE EXPLOIT IS FOR RESEARCH PURPOSES ONLY.

It seems someone took some initiative and made some software themselves to dump the hypervisor once they have the correct hardware and software. So for anyone who has used that and dumped their own hypervisor I present this PS3 HV Dump setup script for IDA. This script will setup function tables including the hypercall (syscall) table, mmcall table, OPD, TOC, GOT. It will find common functions such as puts and printf and very importantly it will fixup all rtoc references which are used to access global variables and strings.

To use the script you should extract it somewhere and then from within IDA select “File->IDC File…”, then navigate to where you extracted the file and select it. Please note that this script could overwrite your previous work, so please run backup your idb/i64 file before running it. I recommend running it on a freshly created database by loading your hypervisor dump into IDA as “ppc” at ROM address 0 and then running this script as detailed above before doing anything else.

The other tidbit I wanted to share was the updates to the PPC Altivec plugin source code which I had forgotten to include in the recent releases, but which a few people have since asked for. Here is the PPC Altivec plugin v1.6 for IDA v5.6 with sourcecode. If anyone makes any fixes or adds support for new functions please pass these updates back to me so I can share them on this site.

thanks sapperlott, i have updated the script from your notes (just use the same link from the post above). i wasn’t going to label the peek/poke calls, but i guess since they are otherwise invalid i guess it wont hurt. as for the htab parser, i don’t really see the point of it. if someone can point out how it helps with reversing i will add support for it to the script.

0xe3000 seems to be some sort of NAND directory structure. So the code referring to unk_E3000 might access the flash. This structure appears at various memory locations (the first 0x80 bytes vary, though – some kind of header?)

sapperlott: that “dump anaysis” is basically just a bunch of n00bs reading ascii strings in a hex editor. the dump conatins lots of “parts” of data but not the full things. it is mainly just a dump of the hypervisor (lv1) code.

titanmkd: check my new post for info on htabs and ptes etc. i dont really see how parsing them will help in anyway however. using the sourcecode in my new post you can dump and parse your own. they dont tell you anything of interest that isn’t already known.

kicko: The blu-ray drives are totally untouched by this exploit. You cannot access anything inside the blu-ray drive via this exploit. And the whole PS3 bd-rom drive using rom-mark stuff is garbage, whoever said the PS3 uses it is pulling the information out of their arse.

Guys can you tell me who taught you to know all those things about computers. Me personnally always wanted to know how to program computer but never could know where to learn from.I am just amazed how you know all those details about memory address and that its not scares you that ps3 is well secured.phenomenal.

Shut-up dude.. it look pretty cool because they understand what they are talking about between them but this exploit doesn’t do anything special!

It doesn’t bring anything new since the goal of the hack should be to use the Ps3 for other usage then playing game (since it is a gaming console) but nothing is done yet.. We cannot use it as a worstation, cannot use all the core power in Linux and of course cannot play game bypassing the security.

So I don’t know what they are going to do with this “exploit” but all we know is about read and write access on the hypervisor. At least if it was possible to run a homebrew or something.. nothing yet.

I think it’s great that you’re doing all this work, but being a complete noob to linux I’m not sure what it all means. I bought my PS3 when they first came out. One of the selling points (for me) was the fact that you could use it as a linux based computer as well. I installed yellow dog about 3 months after getting the PS3 and TBH, haven’t done anything since. I do want to learn how to use Linux (eventually), but don’t want to buy another laptop to do it. I’m totally hacked off with Sony for removing this function.
I’ve never used Torrents, downloaded pirated movies, illegally downloaded any music and I’ve never played a hacked game in my life! I’ve had PS1.PS2 and PS3 and have always appreciated the \backward compatibility\ that has been a feature of Playstation as long as I can remember. I don’t wan’t to get involved in hardware hacks and am not interested in piracy or copyright theft, all I want is my other OS back! Currently I’m sat here on Vers. 3.15 waiting for the PUP file that will give me my Other OS but update the rest of the software. (Apparently the noisy fan will go a lot quieter after the update). In an aside, COD4, Modern warfare tried to update last night but failed to install(something to do with not being the right version OS?perhaps) Now I can’t play the game at all. Not even logging in as another user.
George Hotz said that he’d be releasing a PUP file that would let you keep your Other OS function, but I think he’s been \nobbled\ by Sony not to release it. Is a suitably edited PUP file on the cards at all? Or am I to spend my life with my PS3 guts all over the floor, flashing the hypervisor every time I turn the machine off and rewriting code for every update Sony releases?